Oh, you’re not, either? Perfect. Let’s share what we know and make each other smarter. Deal?

I’ll go first. Here’s a list of five WordPress plugins that I always install on new blogs to help secure the blog and keep the bad guys away. Have a look through my list and then let me (and other readers) know in the comments what other/different plugins and tactics you recommend.

Matt’s List of WordPress Security Plugins

This plugin “checks for excessively long request strings (i.e., greater than 255 characters), as well as the presence of either ‘eval(‘ or ‘base64′ in the request URI.” It also protects “against CONCAT and UNION+SELECT requests.” (I have no idea what any of that means, by the way.)

This plugin “records the IP address and timestamp of every failed WordPress login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery.” (By the way, this plugin is written by Michael VanDeMar, whose WordPress security services I can personally recommend.)

This plugin takes care of about a dozen little things at once — tweaks that can help keep your WordPress install secure. One of those involves the same function that Block Bad Queries (#1 above) does. It does things like add an index.php file to your plugins directory so that snoops can’t easily see what plugins you’re running.

This plugin monitors your WordPress installation and sends you an alert when it detects that any files have been added, deleted, or changed. This is good because hackers may break into your install and upload new files or start modifying existing files for their own purposes. If that happens, you’ll get an email. That also means you’ll get an email when you do things like use the WordPress file uploader — so, for example, when I publish this post and upload an image to go with it, a couple minutes later I’m gonna get an email notifying me that images were added to my install. If you publish a lot of blog posts, that might get annoying. But I think it’s a small price to pay for some peace of mind.

This plugin scans your WordPress install looking for a variety of things like whether or not the WordPress version is hidden, if you have an .htaccess file in your wp-admin directory, and so forth. I think some of it might duplicate what Secure WordPress (#3 above) does, but not positive. (This is another one where I don’t understand all the details!)

One More Smart & Secure Thing To Do

Backup Your Database — In addition to those plugins (and hopefully more that readers will suggest in the comments), you absolutely must backup your WordPress database regularly. I use a plugin called WordPress Database Backup which is as easy as pie to setup. I have the plugin create a backup of my database every night and send it to a dedicated Gmail account that I don’t use for anything else but database backup storage.

Okay, now it’s your turn: Tell me what’s wrong with the plugins I’m using or add others that I should be using. The floor is open!

Matt, one little security thing I like to do is hide the WP version number from displaying in your meta data in html source code.

Add this line of code to your functions.php file in your theme folder;

remove_action(‘wp_head’, ‘wp_generator’);

Hiding your version number, especially if using an older version, makes any hacker have to guess which exploits to try. Most auto hacker bots are likely looking for version numbers to try their attacks on WP sites they already know how to exploit.

Secondly, you personally are just asking to get hacked running a version that old. The bots don’t bother looking for the version, they merely test and see if the exploits work. If they do (which on older WordPress versions, they will) then the bot just does the hacking. Hiding the version doesn’t really help.

Hey, when we talk about wordpress security, the first thing that comes to mind is Akismet. I think this a basic secure plugin of any WordPress site. Another hit by Automattic, the time savings is well worth installing. While it may throw some good comments into spam (and you should periodically check for false positives), all in all still does a fine job.